Steps to connection – Cisco Cisco Access Registrar 3.5 User Manual

Page 14

background image


Cisco Access Registrar 3.5 Concepts and Reference Guide


Chapter 1 Overview

RADIUS Protocol

Figure 1-1

Packet Exchange Between User, NAS, and RADIUS

Cisco Access Registrar can also reject the packet if it needs to deny network access to the user. Or, Cisco
Access Registrar may issue a challenge that the NAS sends to the user, who then creates the proper
response and returns it to the NAS, which forwards the challenge response to Cisco Access Registrar in
a second request packet.

In order to ensure network security, the client and server use a shared secret, which is a string they both
know, but which is never sent over the network. User passwords are also encrypted between the client
and the server to protect the network from unauthorized access.

Steps to Connection

Three participants exist in this interaction: the user, the NAS, and the RADIUS server. The following
steps describe the receipt of an access request through the sending of an access response.

Step 1

The user, at a remote location such as a branch office or at home, dials into the NAS, and supplies a name
and password.

Step 2

The NAS picks up the call and begins negotiating the session.


The NAS receives the name and password.


The NAS formats this information into an Access-Request packet.


The NAS sends the packet on to the Cisco Access Registrar server.

Step 3

The Cisco Access Registrar server determines what hardware sent the request (NAS) and parses the


It sets up the Request dictionary based on the packet information.


It runs any incoming scripts, which are user-written extensions to Cisco Access Registrar. An
incoming script can examine and change the attributes of the request packet or the environment
variables, which can affect subsequent processing.


Based on the scripts or the defaults, it chooses a service to authenticate and/or authorize the user.

Step 4

Cisco Access Registrar’s authentication service verifies the username and password is in its database.
Or, Cisco Access Registrar delegates the authentication (as a proxy) to another RADIUS server, an
LDAP, or TACACS server.

Step 5

Cisco Access Registrar’s authorization service creates the response with the appropriate attributes for
the user’s session and puts it in the Response dictionary.

Step 6

If you are using Cisco Access Registrar session management at your site, the Session Manager calls the
appropriate Resource Managers that allocate dynamic resources for this session.

Step 7

Cisco Access Registrar runs any outgoing scripts to change the attributes of the response packet.